Analysis and opinion by Christopher Soghoian, security and privacy researcher.

Sunday, March 04, 2007

How The RIAA and MPAA Unknowingly Assist Child Pornographers

Or: How the Media Companies did more to spread cryptography, anonymity preserving technology and general knowledge about good online privacy hygiene than an army of activist cypherpunks ever could have

[Ed: I have to admit, I'm pretty proud of the fact that I've managed to tar two of the great Satans in the world, the RIAA and MPAA, with the kiddie porn brush. It's about time, since they've been doing the same to anonymity researchers for years]

A few years back, after waiting all night outside the US Supreme Court, I saw a semi-familiar face walking towards the front of the court-house. Without thinking, I ran up to him, and asked if I could have my photo taken with him. True, he is an extremely evil and corrupt man. Not quite as bad as Pol Pot, or even Cheney, but still evil enough. His name is Jack Valenti, and this blog-post describes how, strangely enough, he and his cohorts make the lives of child pornographers far better, and far safer.

-------

Music and software piracy existed long before Napster. It took place on Internet news groups (usenet), bulletin board systems (BBS), ftp, and good old fashioned person-to-person exchange via floppy disks. The real threat that Napster posed, was that it was really easy to use. So simple, that a non-technical user could quickly figure it out. What Napster did, essentially, was make an entire generation of non-technical users into 'pirates'.

We all know the story: Napster was shut down by the record labels, and shortly afterwards, improved systems like Gnutella and Kazaa took its place. While Napster had been a centralized system (with verbose logging, should law enforcement ever need it), the new systems were extremely difficult to take down, and presented a significant problem for anyone who wished to do forensic analysis after the fact - since there were no centralized records of who downloaded and uploaded what files.

Whereas before, the FBI could have sent Napster a supoena stating "Tell us every user sharing these 5000 kiddie porn files", the new networks were purpose built to not be able to have that ability. Not because the designers wanted to help those sharing kiddie porn, but because the record labels used the very same techniques that the FBI used to combat child porn.

Fast forward a few years.

The record companies have their agents (like BayTSP) regularly trawling P2P networks looking for copyrighted content. The FBI and other parts of the government are either already using similar technologies, or surely have to be developing them....

In response, users have deployed technologies like PeerGuardian - which block network addresses known to be used by the record companies and their clients. And since DOJ has decided to begin, albeit slowly, prosecuting major P2P offenders, they will soon find themselves added to these blacklists - if they haven't been added already.

Let us now consider the case of encryption:

Shortly after the crypto-wars, the only people using encryption on their machines were paranoid crypto-geeks, or cypherpunks, as they called themselves. Systems were far too difficult to use to be deployed by the common man.

Fast forward a few years. The makers of Kazaa learned many lessons from their interactions with the record labels. When they developed their next program, Skype, they made sure to design cryptographic protocols into the core level of the program. Every single Skype call is encrypted - and if the call never leaves the skype network, then no one but the two callers can listen in. To make things even more difficult, just as with Kazaa, Skype was developed in eastern Europe, and owned in another country. This multi-jurisdictional separation makes subpoenas quite tricky.

Skype is now the most widely deployed cryptographic application, ever. It's easy to use, it is used by millions of Internet users around the world, and the government has no real way to tap voice data as it crosses the network - CALEA, or not.

The point that I am trying to make is the following:

By going after people for sharing movies and music online, the major media companies have essentially created a huge market for anonymous (or close to anonymous) technologies. Technologies such as Tor, Freenet, Gnutella, and Skype arguably wouldn't exist as they do today if the Media companies didn't go after 'pirates' with such vigor. And with the influx of millions of new users, these programs have become better - either through more financial support/advertising, or through new developers/open source coders who are finding bugs and adding features.

P2P enforcement forced anonymity and evasion technologies to evolve far faster than they ever would have if the FBI had been the only 'threat' to privacy online.

However, these technologies do not just make the task of detecting copyrighted works more difficult - they make the FBI's job of finding child pornographers more difficult. Far more people use encryption now. Far more people erase data, and turn off logging.

The mass publicity of the NSA lawsuits has only cemented the idea in the public consciousness that email can be read, and so, I would argue, that less and less sensitive information is sent by email. More, not all, but more, people know that their email is not secure.

And now with all the press relating to data loss/breaches by companies, we are finding that many Fortune 500 companies are demanding full disk encryption from their Operating System suppliers. This will roll downhill. Someone who gets comfortable with the idea of an encrypted filesystem at work will be far more likely to turn that option on when they install Windows Vista at home. This will of course, hugely frustrate the FBI. This isn't to say that they can't break it, but it makes their lives far far more difficult.

What is the moral to this story? The record companies have made an entire generation of college students into criminals, and as such, those college kids have resorted to technical means of avoiding detection - which create a gigantic crowd of encrypted and obfuscated data in which 'real' criminals can hide. These evasion methods are the very same techniques which can frustrate legitimate and useful law enforcement, which as an unintended side-effect, suffer. The ability to catch genuine terrorists and child pornographers is significantly limited through the short sighted actions of the major media companies.

And the thing is - it's too late to fix it. The genie is out of the bottle.

Just as the drug war has made an entire generation fear and mistrust the police, the P2P wars have given the Internet generation a reason to protect their privacy, or at least frustrate forensic analysis of their online activity.

So the next time you see an article describing a new tactic that the record labels are taking to stamp out piracy - Stop for a moment, and please, think of the children.

Note: I started coming up with the idea for this blog post a week ago over lunch with a colleague. However, I decided to hurry up and finish it after reading a recent law review article by Eric Stieglitz (ANONYMITY ON THE INTERNET: HOW DOES IT WORK, WHO NEEDS IT, AND WHAT ARE ITS POLICY IMPLICATIONS? ). You can find it on westlaw or lexis if you're lucky enough to have an account.

4 comments:

I had some trouble finding the article, and I think it's because it hasn't been published (or hasn't been added to Lexis and Westlaw yet). Based on this page, though, I expect the citation will be 24 Cardozo Arts & Ent. L.J. 1395.

Christopher Soghoian, Ph.D. is a Washington, DC based privacy and security researcher. He is the Principal Technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union.